CVE-2023-26056

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 3.0-milestone-1 through 14.7 XWiki Platform versions 14.4 through 14.4.4 XWiki Platform versions 13.10 through 13.10.9

Description The issue allows executing a script with the rights of another user, provided the target user does not have programming rights. This can be achieved by using a specific syntax, such as {{context document="xwiki:XWiki.userwithscriptright" transformationContext="document"}}{{velocity}}Hello from Velocity!{{/velocity}}{{/context}}, which should produce an error if the user does not have script rights. However, due to the vulnerability, if the author of the document "xwiki:XWiki.userwithscriptright" has script rights, the script will be executed as if it was written by the target user.

Recommendations For XWiki Platform versions 3.0-milestone-1 through 14.7, update to version 14.8-rc-1 or later. For XWiki Platform versions 14.4 through 14.4.4, update to version 14.4.5 or later. For XWiki Platform versions 13.10 through 13.10.9, update to version 13.10.10 or later. As a temporary workaround, consider restricting the use of the velocity context in documents to minimize the risk of exploitation.